Merge "Add horizon WebSSO support for OpenID Connect"

This commit is contained in:
Zuul 2019-01-09 22:26:48 +00:00 committed by Gerrit Code Review
commit 829cde2f35
3 changed files with 64 additions and 4 deletions
environments
puppet/services
sample-env-generator

@ -32,7 +32,7 @@ parameter_defaults:
# The url that points to your OpenID Connect provider metadata
# Type: string
KeystoneOpenIdcProviderMetadataUrl: https://myidp.example.test/metadata
KeystoneOpenIdcProviderMetadataUrl: https://myidp.example.test/auth/realms/openstack/.well-known/openid-configuration
# Attribute to be used to obtain the entity ID of the Identity Provider from the environment.
# Type: string
@ -44,7 +44,19 @@ parameter_defaults:
# A list of dashboard URLs trusted for single sign-on.
# Type: comma_delimited_list
KeystoneTrustedDashboards: https://dashboard.example.test
KeystoneTrustedDashboards: https://dashboard.example.test/dashboard/auth/websso/
# Specifies the list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message.
# Type: json
WebSSOChoices: [['OIDC', 'OpenID Connect']]
# Specifies a mapping from SSO authentication choice to identity provider and protocol. The identity provider and protocol names must match the resources defined in keystone.
# Type: json
WebSSOIDPMapping: {'OIDC': ['myidp', 'openid']}
# The initial authentication choice to select by default
# Type: string
WebSSOInitialChoice: OIDC
# ******************************************************
# Static parameters - these are values that must be
@ -58,6 +70,10 @@ parameter_defaults:
# Type: boolean
KeystoneOpenIdcEnable: True
# Enable support for Web Single Sign-On
# Type: boolean
WebSSOEnable: True
# *********************
# End static parameters
# *********************

@ -89,10 +89,33 @@ parameters:
default: ''
description: Horizon has a global overrides mechanism available to perform customizations
type: string
WebSSOEnable:
default: false
type: boolean
description: Enable support for Web Single Sign-On
WebSSOInitialChoice:
default: 'OIDC'
type: string
description: The initial authentication choice to select by default
WebSSOChoices:
default:
- ['OIDC', 'OpenID Connect']
type: json
description: Specifies the list of SSO authentication choices to present.
Each item is a list of an SSO choice identifier and a display
message.
WebSSOIDPMapping:
default:
'OIDC': ['myidp', 'openid']
type: json
description: Specifies a mapping from SSO authentication choice to identity
provider and protocol. The identity provider and protocol names
must match the resources defined in keystone.
conditions:
debug_unset: {equals : [{get_param: Debug}, '']}
websso_enabled: {equals : [{get_param: WebSSOEnable}, True]}
outputs:
role_data:
@ -142,6 +165,19 @@ outputs:
horizon::listen_ssl: {get_param: EnableInternalTLS}
horizon::horizon_ca: {get_param: InternalTLSCAFile}
horizon::customization_module: {get_param: HorizonCustomizationModule}
-
if:
- websso_enabled
-
horizon::websso_enabled:
get_param: WebSSOEnable
horizon::websso_initial_choice:
get_param: WebSSOInitialChoice
horizon::websso_choices:
get_param: WebSSOChoices
horizon::websso_idp_mapping:
get_param: WebSSOIDPMapping
- {}
-
if:
- debug_unset

@ -16,18 +16,26 @@ environments:
- KeystoneOpenIdcCryptoPassphrase
- KeystoneOpenIdcResponseType
- KeystoneOpenIdcRemoteIdAttribute
puppet/services/horizon.yaml:
parameters:
- WebSSOEnable
- WebSSOInitialChoice
- WebSSOChoices
- WebSSOIDPMapping
sample_values:
KeystoneFederationEnable: True
KeystoneOpenIdcEnable: True
WebSSOEnable: True
KeystoneAuthMethods: 'password,token,openid'
KeystoneTrustedDashboards: 'https://dashboard.example.test'
KeystoneTrustedDashboards: 'https://dashboard.example.test/dashboard/auth/websso/'
KeystoneOpenIdcIdpName: 'myidp'
KeystoneOpenIdcProviderMetadataUrl: 'https://myidp.example.test/metadata'
KeystoneOpenIdcProviderMetadataUrl: 'https://myidp.example.test/auth/realms/openstack/.well-known/openid-configuration'
KeystoneOpenIdcClientId: 'myclientid'
KeystoneOpenIdcClientSecret: 'myclientsecret'
static:
- KeystoneFederationEnable
- KeystoneOpenIdcEnable
- WebSSOEnable
description: |
This is an example template on how to configure keystone federation for
the OpenID Connect protocol. You must modify the parameters to use